What categories will be displayed when you filter Threat logs by DNS Security Category?

DNS Security logs can be filtered by category in Threat logs. Depending on the category and detections observed on a firewall, one or more Unique Threat IDs (UTIDs) can be displayed.

Please see what the filter would display when each category is set as a criteria in Threat Logs:


1. dns-c2

• Log Filter: (category-of-threatid eq dns-c2) 
  • Command and Control (UTID of Specific Domain Detected)
  • DNS Tunnel Detection (UTID: 109001001/109001002)
  • DGA Domain Detection  (UTID: 109000001)
  • NXNS Attack  (UTID: 109010007)
  • DNS Rebinding  (UTID: 109010009)
  • DNS Infiltration  (UTID: 109001003)

 

2. dns-malware 

• Log Filter: (category-of-threatid eq dns-malware)
  • Malware (UTID of Specific Domain Detected)
  • Malware Compromised DNS  (UTID: 109003001)
  • Ransomware (UTID : 109003002)

3. dns-grayware 

• Log Filter: (category-of-threatid eq dns-grayware)
  • Grayware Domains (UTID: 109010002)
  • Fastflux detection - (UTID: 109010005)
  • Malicious NRD (UTID: 109010006)
  • Dangling Domains (UTID: 109010008)
  • Wildcard abuse (UTID: 109002001)
  • Strategically-aged domains (UTID: 109002002)
  • Subdomain Reputation (UTID : 109002004)
  • Squatting (UTID : 109002003)
  • Stockpile Domain (UTID : 109002005)
  • Domain Masquerading (UTID: 109002006 )

 

4. dns-adtracking

• Log Filter: (category-of-threatid eq dns-adtracking)
  • Ad Tracking Domains (UTID: 109004000)
  • CNAME Cloaking  (UTID: 109004001)

 

5. dns-ddns

• Log Filter: (category-of-threatid eq dns-ddns)
  • Dynamic DNS Hosted Domains  (UTID: 109020002) 

6. dns-new-domain

• Log Filter: (category-of-threatid eq dns-new-domain)
  • Newly Registered Domains  (UTID: 109020001)

7. dns-phishing

• Log Filter: (category-of-threatid eq dns-phishing)
  • Phishing Domains  (UTID: 109010001)

8. dns-parked 

• Log Filter: (category-of-threatid eq dns-parked)
  • Parked Domains  (UTID: 109010003)

9. dns-proxy 

• Log Filter: (category-of-threatid eq dns-proxy)
  • Proxy Avoidance and Anonymizers (UTID: 109010004)

10. dns-dnsmisconfig

• Log Filter: (category-of-threatid eq dns-dnsmisconfig)

On a similar approach, Advanced DNS Security logs can be filtered as follows :
 

• DNS Hijacking—adns-hijacking
  • (category-of-threatid eq adns-hijacking)
    ​​​​
• DNS Misconfiguration—adns-dnsmisconfig
  • (category-of-threatid eq adns-dnsmisconfig)​
• DNS —adns-benign
  • (category-of-threatid eq adns-benign)
• Malware Domains —adns-malware
  • (category-of-threatid eq adns-malware )
• Command and Control Domains—adns-c2
  • (category-of-threatid eq adns-c2 )
• Phishing Domains—adns-phishing
  • (category-of-threatid eq adns-phishing )
• Dynamic DNS Hosted Domains—adns-ddns
  • (category-of-threatid eq adns-ddns )
• Newly Registered Domains—adns-new-domain
  • (category-of-threatid eq adns-new-domain )
• Grayware Domains—adns-grayware
  • (category-of-threatid eq adns-garyware )
• Parked Domains—adns-parked
  • (category-of-threatid eq adns-parked )
• Proxy Avoidance and Anonymizers—adns-proxy
  • (category-of-threatid eq adns-proxy )
• Ad Tracking Domains—adns-adtracking
  • (category-of-threatid eq adns-adtracking )

• https://docs.paloaltonetworks.com/dns-security/administration/about-dns-security/cloud-delivered-dns-signatures
• https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/enable-advanced-dns-security